Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 11:18
Static task
static1
Behavioral task
behavioral1
Sample
d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe
Resource
win10v2004-20240802-en
General
-
Target
d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe
-
Size
1.8MB
-
MD5
0341c85ca79dd94606a80b217ccb3e60
-
SHA1
8c62747c0170ffb2006b8152cde98bf254a685c4
-
SHA256
d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a
-
SHA512
afc2258f90fe4343f4af4a5d2f598958ccc83e6d58339693f9a0f03b3e31ce70ff3f9d927a4592c2e5537e2bd6bd7d0bf731efd5c56779a2378bf2676098ba91
-
SSDEEP
49152:FcOtBefrOlh5FVPANGemCDzK4Z8E0i/ppkSR/8Y:FWfrOlXANGemwzKTYpOS
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation svoutse.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 7 IoCs
pid Process 1736 svoutse.exe 928 svoutse.exe 4364 b9ac3a22ea.exe 3228 fc92cd8874.exe 2492 c5156435d9.exe 5996 svoutse.exe 1968 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9ac3a22ea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\b9ac3a22ea.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3440-53-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3440-56-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3440-58-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4088 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 1736 svoutse.exe 928 svoutse.exe 5996 svoutse.exe 1968 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4364 set thread context of 3440 4364 b9ac3a22ea.exe 99 PID 3228 set thread context of 3588 3228 fc92cd8874.exe 104 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc92cd8874.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5156435d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9ac3a22ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4088 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 4088 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 1736 svoutse.exe 1736 svoutse.exe 928 svoutse.exe 928 svoutse.exe 5996 svoutse.exe 5996 svoutse.exe 1968 svoutse.exe 1968 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3612 firefox.exe Token: SeDebugPrivilege 3612 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4088 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe 3440 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe 3612 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4088 wrote to memory of 1736 4088 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 87 PID 4088 wrote to memory of 1736 4088 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 87 PID 4088 wrote to memory of 1736 4088 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 87 PID 1736 wrote to memory of 4364 1736 svoutse.exe 98 PID 1736 wrote to memory of 4364 1736 svoutse.exe 98 PID 1736 wrote to memory of 4364 1736 svoutse.exe 98 PID 4364 wrote to memory of 3440 4364 b9ac3a22ea.exe 99 PID 4364 wrote to memory of 3440 4364 b9ac3a22ea.exe 99 PID 4364 wrote to memory of 3440 4364 b9ac3a22ea.exe 99 PID 4364 wrote to memory of 3440 4364 b9ac3a22ea.exe 99 PID 4364 wrote to memory of 3440 4364 b9ac3a22ea.exe 99 PID 4364 wrote to memory of 3440 4364 b9ac3a22ea.exe 99 PID 4364 wrote to memory of 3440 4364 b9ac3a22ea.exe 99 PID 4364 wrote to memory of 3440 4364 b9ac3a22ea.exe 99 PID 4364 wrote to memory of 3440 4364 b9ac3a22ea.exe 99 PID 4364 wrote to memory of 3440 4364 b9ac3a22ea.exe 99 PID 1736 wrote to memory of 3228 1736 svoutse.exe 100 PID 1736 wrote to memory of 3228 1736 svoutse.exe 100 PID 1736 wrote to memory of 3228 1736 svoutse.exe 100 PID 3228 wrote to memory of 3720 3228 fc92cd8874.exe 101 PID 3228 wrote to memory of 3720 3228 fc92cd8874.exe 101 PID 3228 wrote to memory of 3720 3228 fc92cd8874.exe 101 PID 3228 wrote to memory of 3632 3228 fc92cd8874.exe 102 PID 3228 wrote to memory of 3632 3228 fc92cd8874.exe 102 PID 3228 wrote to memory of 3632 3228 fc92cd8874.exe 102 PID 3228 wrote to memory of 724 3228 fc92cd8874.exe 103 PID 3228 wrote to memory of 724 3228 fc92cd8874.exe 103 PID 3228 wrote to memory of 724 3228 fc92cd8874.exe 103 PID 3228 wrote to memory of 3588 3228 fc92cd8874.exe 104 PID 3228 wrote to memory of 3588 3228 fc92cd8874.exe 104 PID 3228 wrote to memory of 3588 3228 fc92cd8874.exe 104 PID 3228 wrote to memory of 3588 3228 fc92cd8874.exe 104 PID 3228 wrote to memory of 3588 3228 fc92cd8874.exe 104 PID 3228 wrote to memory of 3588 3228 fc92cd8874.exe 104 PID 3228 wrote to memory of 3588 3228 fc92cd8874.exe 104 PID 3228 wrote to memory of 3588 3228 fc92cd8874.exe 104 PID 3228 wrote to memory of 3588 3228 fc92cd8874.exe 104 PID 1736 wrote to memory of 2492 1736 svoutse.exe 105 PID 1736 wrote to memory of 2492 1736 svoutse.exe 105 PID 1736 wrote to memory of 2492 1736 svoutse.exe 105 PID 3440 wrote to memory of 1308 3440 RegAsm.exe 106 PID 3440 wrote to memory of 1308 3440 RegAsm.exe 106 PID 1308 wrote to memory of 3612 1308 firefox.exe 108 PID 1308 wrote to memory of 3612 1308 firefox.exe 108 PID 1308 wrote to memory of 3612 1308 firefox.exe 108 PID 1308 wrote to memory of 3612 1308 firefox.exe 108 PID 1308 wrote to memory of 3612 1308 firefox.exe 108 PID 1308 wrote to memory of 3612 1308 firefox.exe 108 PID 1308 wrote to memory of 3612 1308 firefox.exe 108 PID 1308 wrote to memory of 3612 1308 firefox.exe 108 PID 1308 wrote to memory of 3612 1308 firefox.exe 108 PID 1308 wrote to memory of 3612 1308 firefox.exe 108 PID 1308 wrote to memory of 3612 1308 firefox.exe 108 PID 3612 wrote to memory of 1768 3612 firefox.exe 109 PID 3612 wrote to memory of 1768 3612 firefox.exe 109 PID 3612 wrote to memory of 1768 3612 firefox.exe 109 PID 3612 wrote to memory of 1768 3612 firefox.exe 109 PID 3612 wrote to memory of 1768 3612 firefox.exe 109 PID 3612 wrote to memory of 1768 3612 firefox.exe 109 PID 3612 wrote to memory of 1768 3612 firefox.exe 109 PID 3612 wrote to memory of 1768 3612 firefox.exe 109 PID 3612 wrote to memory of 1768 3612 firefox.exe 109 PID 3612 wrote to memory of 1768 3612 firefox.exe 109 PID 3612 wrote to memory of 1768 3612 firefox.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe"C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6d31328-9dcc-4024-8227-57c8f0593629} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" gpu7⤵PID:1768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73fa5a19-2e63-4106-ac4e-d25fc975c983} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" socket7⤵PID:4672
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2700 -childID 1 -isForBrowser -prefsHandle 2808 -prefMapHandle 3096 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2db5b05-8187-4296-93c4-45f538d593a3} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab7⤵PID:2868
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3556 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 2804 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e399b850-b8f0-450b-96ef-1d38a7e3059f} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab7⤵PID:1428
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1248 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4236 -prefMapHandle 4228 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7537a940-4344-44f3-9857-9f2dbc0b5539} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" utility7⤵
- Checks processor information in registry
PID:5388
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 3 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa9663f0-decd-46ad-8eef-23601a6ac560} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab7⤵PID:3432
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5960 -childID 4 -isForBrowser -prefsHandle 5804 -prefMapHandle 5704 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bde6f6dc-fcae-4bfa-8322-a0c9b60e3e82} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab7⤵PID:4968
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6068 -childID 5 -isForBrowser -prefsHandle 6076 -prefMapHandle 6080 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0025d06b-f17e-43ac-b00c-61a886350334} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab7⤵PID:4588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6360 -childID 6 -isForBrowser -prefsHandle 6276 -prefMapHandle 6280 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {228fd4a5-3f16-430f-8e0a-e06c8b53eb5f} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab7⤵PID:2160
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3588
-
-
-
C:\Users\Admin\1000003002\c5156435d9.exe"C:\Users\Admin\1000003002\c5156435d9.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2492
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:928
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5996
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1968
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5f1eb561f309f111d3a4f2cedbbee18a3
SHA11dbbcb09cd75c856de3f6e332231eb2f1325808c
SHA25687b9d480d0dc127c3c73916bf3ef452465ce64b274ab4754e05c1f2ac5274906
SHA51226f42c416e28ff3a6142e892d5225e56bbb23cb0a7d0171bd147e1d62311717cacd33e039018849c42d105ce80ef85db103382a208eea4218edd881b7f9bb2d6
-
Filesize
1.8MB
MD50341c85ca79dd94606a80b217ccb3e60
SHA18c62747c0170ffb2006b8152cde98bf254a685c4
SHA256d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a
SHA512afc2258f90fe4343f4af4a5d2f598958ccc83e6d58339693f9a0f03b3e31ce70ff3f9d927a4592c2e5537e2bd6bd7d0bf731efd5c56779a2378bf2676098ba91
-
Filesize
1.2MB
MD50507df47dc52b6ee4395525827a98fda
SHA1324a3b2e4241c995ae9d071e92ea100bda7f3b33
SHA2567ed6196256eda92f5344983a3c530aadb2cfc59a728438f363a2f281003e2cea
SHA5120ecc42cd98668a92f2144bfe8027669ece942f3e2e78945fd49325f65184d9df88f6eb76f5757b70ff8953388b9d07d38862ca91c223b62797f50b5eb9e37d28
-
Filesize
196KB
MD587dabb17ed3d14423cc2b23fe66bf66b
SHA1b63310220a1659e56bcd154c4a39158a1209e388
SHA2560bccf21db72dd2155dce24feec1b47fd4a07ea6ebb5a69c4abed33cbe2469ab0
SHA51288e7a5af6286344de7b4ddb2ae369e9ada39c75a762edfbf6b4ad2eca6fe6da0c750ecf7ff6d76c05bb1796c65798ada3dd2c4d62d3ab7cc0285f0ea805f8b61
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin
Filesize7KB
MD54995e46da175c1f71a1e5703fcd6cccc
SHA1d74af11c5a9c9060d0803ec491173f431ac138a5
SHA25690735429b1d9330e13ccf2ff954652431a4d312ad96f5a70d1c197100e73cc2d
SHA5123cd3c8a98643693f6b7b92658fd156b95f873fcd3b25c4240c276974dbad81d42550a90e24fe095b4ad2f7fa542a0d21e980aa71073b7fcc0641645cc065ef4a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin
Filesize10KB
MD594856fd9e3db97fa251a72c1dd44841b
SHA13ac1385ebb06b6d61b14292ce842751824477b2c
SHA25609eeadfa4979e5de3bac45abfd4f7b116ccc1d559c823c50ece6cc915182dfa9
SHA5124f01ac999ece890163abb7cf2afcaf8ea4d3363e42b612b2cfc689b8a34e961ede102a4e16620ff2d0336d80a80178d64a0458bf6002f82cae74f799e90b4a23
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD566cac86b0866085e8467b297b985b019
SHA18249eb72403e957f043cf2ae622b5ec1d9e7f301
SHA256311329bea01ec9de3b23d410c5a16894b2b3e51c3efde77ad54ab58febb7e12b
SHA512575918e681e2c3ea0f22129b6022f4fea0f5693e3e20644405ccab37ef2b138503a1c1f01c23ff090c98a64420a9e062f79c3f84d98d6c070b957df5da7eeb4b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp
Filesize32KB
MD5d490993e0bd08ccc74ce6327da04f552
SHA1fc361481012c7b5bb17b95d137d515cbefbe2d94
SHA256673d53e0604785689fbba8ea8d641b5621001dd7caef8160c3fad9f4a6157f55
SHA512bd7c6bf43c5d37ed46a8a1faf8848fc6aaa29df3f937ab72e596a4b8cd0d5a6682c719ffffe029f580da56b0cfdff450ada0ee0a3a8f477b521065c07c2a5bf2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp
Filesize32KB
MD572be4f4cb3d98abca2a56b90b790af5b
SHA116d67627d5ff440ceb145e37d7a61cf93f8db4bb
SHA256bcfbed334497a9fc2fdcbfdbb8da854a576a6533021aca3620392091b92b5f5c
SHA5123082b31709c3ccb22e99cadff08e0dcebd4cd84191ba7e5f20fe859f4f75481de6c2d3e8d959d1da26ddf3742ad3fb252c686a07b852220fc629fc8ddaeb8913
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\12cfcaf3-b62d-4a25-9822-03547a7bf72a
Filesize26KB
MD51642cf4781544fd799f1d662673399d8
SHA1177be10ab4cad54fea314bf99a619163b72f1bb2
SHA256ab76db14a69af800660e6bbdd76700f533a0a82a941b01dc4c5def5296f30228
SHA512b2d4d426ffd595778c4a6b940c6ebc30956db05099610aeecf1468a7b84286f0e379e32a286adbbbf8f2a6f5451356e6a69369b30f60e0459d9ccccc7ee62ef2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\273790fc-411e-4ec7-b75c-e9538d5951fc
Filesize671B
MD5c99b3fb2fd90843dc42112afd4bfa215
SHA165ca72faa3e4246a76392323ede998620f8811b3
SHA2560d113730cbd7bb52219d2ff3056c58e1d1600cd6c5d6bad4af339d1f61abc1f1
SHA512bda8c4d76d967ccd57d5bffa0f7ffb2d6c7adfc664c4a1d2876a0783087232e37de479d8278a4125d608fceb698bf769a71e7c88f876dddd5007e4d000ea5d4c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\c18663a0-fd3e-499e-8850-0a5bd12994ef
Filesize982B
MD54261f843d8331ecf64632295e67d752d
SHA1a8b8e3c1a68c9e0bc4577553e07f89a94a1b8520
SHA25697e7d4629522fff486fe6f1bdf060f2778bf8e089f5ec781107697e7faad2d62
SHA512146f59c3ee03ea302c33a1b1314c074c59bef74f7e23fe350a1c9f228eb2d5d70ce6904fc814e8ca11d77a496cee797398ca0a3a6a15617a8f3878442516bfee
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD59295a3517c3390612fd597a721ff38d1
SHA197db4807e8d7f2add790b236b27eb81f2f1e4da5
SHA25674960ecd4f639d6635a75d5fbf7e5d2b105c8ec7bc5c22030afaaa8a6f674cef
SHA512d6ed7ebce68f0ce8272b0888127021868fccc82f14047eaa636b88f814102ccf3901250bbe02569d41a91eadf39bef8f9942b389a39d36e735ad7f5c076e7bed
-
Filesize
16KB
MD5b7e36e8ab262b9358a5da7361592af55
SHA1fae91f63eb6933b355cd8161d8cecd3ff536ea3b
SHA256f8a4df55c69adc8a87a8f79c6c214fb84500c3975e2809b01db00ad8e94f40ca
SHA51225eaf051574389254ffa844bd27a68cc2c5ac9f928f7d0a552cd8be39eaba4b27061233524bb16212b22c7df935f7aef547f8e51bf208ad6374e366b48fb5eda
-
Filesize
11KB
MD535e72f0200720c7fc2b3111162f7181b
SHA15a03d5f5a9a7cacf5367bead99f581460b34972c
SHA25699a560a668645c09eeb42f94f57de1c36ebce15277e91ac65a7fc9353e577e06
SHA512e375806fb4ca5938efb9e2712c04b0c89d7558e572a39ab1f66c6c6e0a301cd10b2ab44acdbac70376e61ebdf3c2d170ebd432c76045c3cd1e16a66bc6ec80a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.2MB
MD507e31c2d60ead47061b5fc83f2b642b8
SHA152fa79eb6d0e0c0e1b35bb57eda58ad4120eae94
SHA256fbfe4317fbab1dc0d7adaf8c6a30e6887493044ba9e504a0a54a832d7eb9fa79
SHA512872d02d88ad075f52afae26af9b87a013c682f98dfa3607dada3341bfe11bc22dedf19ddf77931edb5046dd62d36f27980955bd7ca0eff29ce2e794884a485b2