Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-08-2024 12:05
Static task
static1
Behavioral task
behavioral1
Sample
4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe
Resource
win10v2004-20240802-en
General
-
Target
4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe
-
Size
1.8MB
-
MD5
f92bc75eb1dd5151fcda78609b39c232
-
SHA1
4f1fb77fdd542f67d30cb26acca5747c6e01890e
-
SHA256
4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379
-
SHA512
bca933fb39dc32726ca15f3ae6a3237b9b72f38b5535288d5062bd3b1b9cae8372f3ff1173785d4f7e6914af2a23689d2b41e0a8e2d291cf3c9da16ce6920bf6
-
SSDEEP
49152:oO5c9L38zV/FRevzokIcEQPHzIF+Lvnfs89O/eXHwlN2jmpVEdTea:d5cZ38bEvzoktUF+ffs8oD4m6Ka
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 6 IoCs
pid Process 2092 svoutse.exe 2168 b0ddec3c49.exe 2308 e9488c3122.exe 2684 e57bb73e4a.exe 5368 svoutse.exe 3312 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\b0ddec3c49.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\b0ddec3c49.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3632-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/3632-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/3632-49-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4928 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 2092 svoutse.exe 5368 svoutse.exe 3312 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2168 set thread context of 3632 2168 b0ddec3c49.exe 86 PID 2308 set thread context of 2672 2308 e9488c3122.exe 90 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0ddec3c49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9488c3122.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bb73e4a.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4928 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 4928 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 2092 svoutse.exe 2092 svoutse.exe 5368 svoutse.exe 5368 svoutse.exe 3312 svoutse.exe 3312 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4944 firefox.exe Token: SeDebugPrivilege 4944 firefox.exe Token: SeDebugPrivilege 4944 firefox.exe Token: SeDebugPrivilege 4944 firefox.exe Token: SeDebugPrivilege 4944 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4928 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe 4944 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4928 wrote to memory of 2092 4928 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 82 PID 4928 wrote to memory of 2092 4928 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 82 PID 4928 wrote to memory of 2092 4928 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 82 PID 2092 wrote to memory of 2168 2092 svoutse.exe 84 PID 2092 wrote to memory of 2168 2092 svoutse.exe 84 PID 2092 wrote to memory of 2168 2092 svoutse.exe 84 PID 2168 wrote to memory of 3632 2168 b0ddec3c49.exe 86 PID 2168 wrote to memory of 3632 2168 b0ddec3c49.exe 86 PID 2168 wrote to memory of 3632 2168 b0ddec3c49.exe 86 PID 2168 wrote to memory of 3632 2168 b0ddec3c49.exe 86 PID 2168 wrote to memory of 3632 2168 b0ddec3c49.exe 86 PID 2168 wrote to memory of 3632 2168 b0ddec3c49.exe 86 PID 2168 wrote to memory of 3632 2168 b0ddec3c49.exe 86 PID 2168 wrote to memory of 3632 2168 b0ddec3c49.exe 86 PID 2168 wrote to memory of 3632 2168 b0ddec3c49.exe 86 PID 2168 wrote to memory of 3632 2168 b0ddec3c49.exe 86 PID 2092 wrote to memory of 2308 2092 svoutse.exe 87 PID 2092 wrote to memory of 2308 2092 svoutse.exe 87 PID 2092 wrote to memory of 2308 2092 svoutse.exe 87 PID 2308 wrote to memory of 2716 2308 e9488c3122.exe 88 PID 2308 wrote to memory of 2716 2308 e9488c3122.exe 88 PID 2308 wrote to memory of 2716 2308 e9488c3122.exe 88 PID 2308 wrote to memory of 1884 2308 e9488c3122.exe 89 PID 2308 wrote to memory of 1884 2308 e9488c3122.exe 89 PID 2308 wrote to memory of 1884 2308 e9488c3122.exe 89 PID 2308 wrote to memory of 2672 2308 e9488c3122.exe 90 PID 2308 wrote to memory of 2672 2308 e9488c3122.exe 90 PID 2308 wrote to memory of 2672 2308 e9488c3122.exe 90 PID 2308 wrote to memory of 2672 2308 e9488c3122.exe 90 PID 2308 wrote to memory of 2672 2308 e9488c3122.exe 90 PID 2308 wrote to memory of 2672 2308 e9488c3122.exe 90 PID 2308 wrote to memory of 2672 2308 e9488c3122.exe 90 PID 2308 wrote to memory of 2672 2308 e9488c3122.exe 90 PID 2308 wrote to memory of 2672 2308 e9488c3122.exe 90 PID 2092 wrote to memory of 2684 2092 svoutse.exe 91 PID 2092 wrote to memory of 2684 2092 svoutse.exe 91 PID 2092 wrote to memory of 2684 2092 svoutse.exe 91 PID 3632 wrote to memory of 3032 3632 RegAsm.exe 92 PID 3632 wrote to memory of 3032 3632 RegAsm.exe 92 PID 3032 wrote to memory of 4944 3032 firefox.exe 95 PID 3032 wrote to memory of 4944 3032 firefox.exe 95 PID 3032 wrote to memory of 4944 3032 firefox.exe 95 PID 3032 wrote to memory of 4944 3032 firefox.exe 95 PID 3032 wrote to memory of 4944 3032 firefox.exe 95 PID 3032 wrote to memory of 4944 3032 firefox.exe 95 PID 3032 wrote to memory of 4944 3032 firefox.exe 95 PID 3032 wrote to memory of 4944 3032 firefox.exe 95 PID 3032 wrote to memory of 4944 3032 firefox.exe 95 PID 3032 wrote to memory of 4944 3032 firefox.exe 95 PID 3032 wrote to memory of 4944 3032 firefox.exe 95 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 PID 4944 wrote to memory of 1256 4944 firefox.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe"C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1924 -parentBuildID 20240401114208 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7ef9592-d131-4334-8731-d970d88ff382} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" gpu7⤵PID:1256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f561ab1e-611a-44cd-a335-9b9fb094e9df} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" socket7⤵PID:1788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2872 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 3028 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c0b05a1-b068-44c2-8176-7b5f5c482470} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab7⤵PID:1480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3812 -childID 2 -isForBrowser -prefsHandle 3996 -prefMapHandle 3992 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f916bf77-2171-4b67-ae80-db9b48193152} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab7⤵PID:4196
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1488 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4604 -prefMapHandle 4596 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bda9eb8-c877-421f-83a2-3a6e22d52ecc} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" utility7⤵
- Checks processor information in registry
PID:5296
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 5348 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {625d54de-82d4-4098-a371-ccf504a165f3} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab7⤵PID:5924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 4 -isForBrowser -prefsHandle 5592 -prefMapHandle 5404 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3ffc7c5-da17-4382-8201-49226d856c41} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab7⤵PID:5968
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 5 -isForBrowser -prefsHandle 5732 -prefMapHandle 5740 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e04389f-4205-42c6-8ea1-a3bf8779c1cd} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab7⤵PID:5980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6264 -childID 6 -isForBrowser -prefsHandle 5996 -prefMapHandle 6284 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16948aaa-4b2d-4d73-977b-08e293189448} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab7⤵PID:3128
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2672
-
-
-
C:\Users\Admin\1000003002\e57bb73e4a.exe"C:\Users\Admin\1000003002\e57bb73e4a.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5368
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3312
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5e685d6b98ec2c2f0999d20cd953ae1f5
SHA1b03bbf59312de30ee65b27f320dc9a2b59b860f8
SHA2561ce2587d565c3716d10f37413fb0f16bead38096f5612eba182ce2ff09d562ee
SHA512b081625b7973030ed3767fe09c61609f2db6aec758f423b0568011e8185deec3fd3325677e3e4137497387c5611915b583e8fc5b6078aed3cf9f37909550b1de
-
Filesize
1.8MB
MD5f92bc75eb1dd5151fcda78609b39c232
SHA14f1fb77fdd542f67d30cb26acca5747c6e01890e
SHA2564915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379
SHA512bca933fb39dc32726ca15f3ae6a3237b9b72f38b5535288d5062bd3b1b9cae8372f3ff1173785d4f7e6914af2a23689d2b41e0a8e2d291cf3c9da16ce6920bf6
-
Filesize
1.2MB
MD5308d0996727a81dfcb72a69e1a132108
SHA19b48220c70d23d2022dd33b142ba6ff8f878c7e6
SHA25676a0ee2a9aca627171bad5a4be2029e87eefed2cbb7c63532c3d4f5ca53e2e88
SHA51265503827ac96c6a81c6ab6a6428286b6b43fd78ded0ec255e21ca3d6f2f4ce8f2fb4f3167afcfd7c6e9b997dd448c937bea01b676f645f33dfe4fd9b88ad2c25
-
Filesize
196KB
MD5aa217dbf9cb8080176f0bae19edc6305
SHA11753b00e1dddb7d9635ad0e9d285907445cc70b6
SHA256fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844
SHA5120beae14810a852de0449675577854fe68947ffe30de89488e71b5ed8c63ac21d88d20b23d3614441aae7de40ad6bea12dbe4278af870defef85457478a6b56ab
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin
Filesize8KB
MD5aa480daa22721bad5570cff912fe1405
SHA173fd3d614c95027c7b774ed8b5958eca97bfb84d
SHA2568cb9eb8f2a553ecd2e99374e5168dfbf716fa4d071729026d8be1959a088a119
SHA512a12453d17448c5681fa21ae112956714dd16222113a1bb7ed2dfc3e8bfd1558f8990a9d4f8902b215e89f6d15683e03b1cf8ae947d91b666a305f354de7fdcc4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD522ff3ec714061cf416f11f954a70ac04
SHA11a18f0152731ba4f42068e5396c4045da22e7bad
SHA25610d6e00b715d08cf5ae68d1fc574ff95a7f55684ad2ecf164134e988dcc4f1fc
SHA512a2f4c38cb8513c267e854f9d1c4be7b372773bc13e0ccd82f800a1aa1cd7cb6b0fd08b874e354b47fb49b1315c6646c5ee5a511b3dd7b89afab1e90cc7a947b5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5eec66f909559e3b976cb6b850fb7c291
SHA1899c9b021f4d6ba43e11626d8000eb6cc5fce005
SHA256b31d9da579ec9c0ca878f9ee556e861c7a534b8577f24c03dd0287ec8aa166da
SHA51250416f02f6243ba513246aa380bf9be8f6ee4b26a7daa139521ad647043e2dcbb5b154f057aaea5afe2977b314a6acc8eb855c053e1ac42f6438143d70a6f248
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\59cd549f-269b-49ad-b027-d78c707af148
Filesize27KB
MD5813e0a2c2bcc0528099af2f4c6de2b56
SHA1a5ad2d423e3105af9b8c2b77cbe1c306176406d1
SHA2561f93297f4cc794def2b6b1f38603761473e9e0bf09b655f4867d0ec39262c25d
SHA512c72eb89faa33d9883f9f2bc7c6e48136a94958d38c25af5b49c3c73c58e39f20e1178f6e7af07af73c8477fff8af740fc8263a71c8e77285aba8aca0d057e7c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\857e70ad-1f2a-45de-8a5d-d608e1336b7a
Filesize671B
MD5470d1f4fe6092fecc9663d41e1ea532b
SHA172156105e5698abe55da49e969fbbc6740303af9
SHA256a1a4d1c2d31c00663f1725d86162c04368f51429d55917ae2a19ed4b6cb4c3a0
SHA51209d688e8f2597989e2eecbfcf643c2bda3297cd50f0a447a9300f94c8231b579e8374f8b30f4b1c5f694b8cef6d460e5dd5a9863c09b278fa1b8a5907c0c05cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\beb2df4e-a7d3-474d-8245-51118eda4006
Filesize982B
MD53040b0bcb79bd2d379022b9a6c3e4a86
SHA18112462c42176b60204c3760712d495c48bec5e2
SHA25612739d6c3eab0b1d7d4ef93774a0d9965862eb553988174b5d1f82895bf2e0fe
SHA51200c7a9072985dda927918c56172e1c4d411f30588a591257ef9fab76a6e0fe1d8a9d929ae5a118261ab04752ce963dd03f306ee2adf2afa2550b8c0c417c5248
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5d6c42aef4e49e660dcf7327789a750b0
SHA13cc00960a8f19db7e34d4499df58ab97eb0be250
SHA256f58ba012c822fe2f3bc4ca4fb31ba2ba11d42b884706aebd3cc247358f7db74e
SHA5121cc5bd78f6dabd64a3a0ba8cacc61612dfde64a26ac76cf0fde89fa0adcd7e98ace46eede04aafce22bb50eab17b003141629a93870c5656bb145d7fe0017dbd
-
Filesize
16KB
MD5b96aac92e3863f23bf23c6bdaf66ea5c
SHA1ea126ce8a6257092b9ef8d43fb92e85f174968e2
SHA2562de07512dbdc49f8e28c94d82b9e1a989a3f5c86f10ad7ce8e4f8d6978298639
SHA51258225a10775c43e5d533ff95bd12d69423f704878dc243f350711216bd192cd6a8e91d4823b11849562d9c5f2fb550d5dc0b85241065405ce341817d7ab77146
-
Filesize
11KB
MD5aefa22505f7ed576596f16e62c38d359
SHA15a59c0a931d41264a6b657a5dc43295d1bdbd897
SHA25642a6fc937695cecdf9b721709a26af0518ff4888c0474a743946428456226ac1
SHA5125bf16a9ad75f88fdee8c8b4056cb083434c6c77590a6565ddc140e82211ba67335a76c7121d17cd91c49d4d26ba7ec30d25d89f789b1d7cf57b9d251c7999bfd
-
Filesize
11KB
MD5e77750a9bb64c4d6e4fe91f9075a2c32
SHA16399a4ff81f03b776438fe45711708d2de407724
SHA256d6eff04f5394a72de86250804b81a7598b4304a2433fdb0a53f3406395354342
SHA51280074651108fbc79088b62e0cce3218b03882bf9291dc2894681484099b28c3911e83671882a23b2120d009761caf4f4fc1db0bcb5d32af45e2fa051d1a5fe5e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD570e321c4b68641550b790af7dc1141d1
SHA1b14d24fe204f6b775efc54744336e689c4683db5
SHA2568ef78fb111cb86c832ffdeda5ce1773b143416bc8b29240ebc734e26ea2d0971
SHA512834c581b18b1c0ab8cb86c7e34597e77aa0c9c7c142881ab064c893c9ca8932a7491546cb49d67d5847e6e6948e4fc59581093e8bb031b1917d7ecf78c7f3b2d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD563b2f773c7596a55de1f245b0530b72f
SHA1241c9ae25ff6e41bc273b2320c0fd0e9ea3f8798
SHA2567527acf8ab2602e576ca7e70ab391bfc36c60ad49e807ceebba6ea6f2b52280e
SHA5128f8db765ce9e50d637a6242273d9edf7618d2b2b9374aa6cf8bd36b7869267702afd332583f3a09571e747ca3f3e89c5f9daa94eceb2da44470fb8bc2753bbd8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.9MB
MD5e61d239c68fd1e9200b04c176dc71936
SHA1693ee3e335219fe97b19b67431db07dc8b3abf9d
SHA25665e526a1d4f1a0e03b3abdf63444251495afd82f85f8d98a541f3e8f3c0b8abf
SHA512192fc18d1df4d82020ce9199e6a26c4e1dc1b0a471a16260b285b191ef13fd98dd834eb2024dbd3e91c5ad2dad836f25ef8659168bcc6d08e39411f2f10c37ed