Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-08-2024 11:18
Static task
static1
Behavioral task
behavioral1
Sample
d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe
Resource
win10v2004-20240802-en
General
-
Target
d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe
-
Size
1.8MB
-
MD5
0341c85ca79dd94606a80b217ccb3e60
-
SHA1
8c62747c0170ffb2006b8152cde98bf254a685c4
-
SHA256
d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a
-
SHA512
afc2258f90fe4343f4af4a5d2f598958ccc83e6d58339693f9a0f03b3e31ce70ff3f9d927a4592c2e5537e2bd6bd7d0bf731efd5c56779a2378bf2676098ba91
-
SSDEEP
49152:FcOtBefrOlh5FVPANGemCDzK4Z8E0i/ppkSR/8Y:FWfrOlXANGemwzKTYpOS
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Executes dropped EXE 7 IoCs
pid Process 3572 svoutse.exe 1364 svoutse.exe 4792 b9ac3a22ea.exe 2276 e26b810f61.exe 2348 fc92cd8874.exe 5956 svoutse.exe 1480 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9ac3a22ea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\b9ac3a22ea.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3828-53-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/3828-57-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/3828-58-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 3064 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 3572 svoutse.exe 1364 svoutse.exe 5956 svoutse.exe 1480 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4792 set thread context of 3828 4792 b9ac3a22ea.exe 87 PID 2276 set thread context of 3616 2276 e26b810f61.exe 89 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e26b810f61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc92cd8874.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9ac3a22ea.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3064 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 3064 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 3572 svoutse.exe 3572 svoutse.exe 1364 svoutse.exe 1364 svoutse.exe 5956 svoutse.exe 5956 svoutse.exe 1480 svoutse.exe 1480 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2284 firefox.exe Token: SeDebugPrivilege 2284 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 3828 RegAsm.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe 3828 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe 2284 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 3572 3064 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 81 PID 3064 wrote to memory of 3572 3064 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 81 PID 3064 wrote to memory of 3572 3064 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe 81 PID 3572 wrote to memory of 4792 3572 svoutse.exe 84 PID 3572 wrote to memory of 4792 3572 svoutse.exe 84 PID 3572 wrote to memory of 4792 3572 svoutse.exe 84 PID 4792 wrote to memory of 4064 4792 b9ac3a22ea.exe 85 PID 4792 wrote to memory of 4064 4792 b9ac3a22ea.exe 85 PID 4792 wrote to memory of 4064 4792 b9ac3a22ea.exe 85 PID 4792 wrote to memory of 5028 4792 b9ac3a22ea.exe 86 PID 4792 wrote to memory of 5028 4792 b9ac3a22ea.exe 86 PID 4792 wrote to memory of 5028 4792 b9ac3a22ea.exe 86 PID 4792 wrote to memory of 3828 4792 b9ac3a22ea.exe 87 PID 4792 wrote to memory of 3828 4792 b9ac3a22ea.exe 87 PID 4792 wrote to memory of 3828 4792 b9ac3a22ea.exe 87 PID 4792 wrote to memory of 3828 4792 b9ac3a22ea.exe 87 PID 4792 wrote to memory of 3828 4792 b9ac3a22ea.exe 87 PID 4792 wrote to memory of 3828 4792 b9ac3a22ea.exe 87 PID 4792 wrote to memory of 3828 4792 b9ac3a22ea.exe 87 PID 4792 wrote to memory of 3828 4792 b9ac3a22ea.exe 87 PID 4792 wrote to memory of 3828 4792 b9ac3a22ea.exe 87 PID 4792 wrote to memory of 3828 4792 b9ac3a22ea.exe 87 PID 3572 wrote to memory of 2276 3572 svoutse.exe 88 PID 3572 wrote to memory of 2276 3572 svoutse.exe 88 PID 3572 wrote to memory of 2276 3572 svoutse.exe 88 PID 2276 wrote to memory of 3616 2276 e26b810f61.exe 89 PID 2276 wrote to memory of 3616 2276 e26b810f61.exe 89 PID 2276 wrote to memory of 3616 2276 e26b810f61.exe 89 PID 2276 wrote to memory of 3616 2276 e26b810f61.exe 89 PID 2276 wrote to memory of 3616 2276 e26b810f61.exe 89 PID 2276 wrote to memory of 3616 2276 e26b810f61.exe 89 PID 2276 wrote to memory of 3616 2276 e26b810f61.exe 89 PID 2276 wrote to memory of 3616 2276 e26b810f61.exe 89 PID 2276 wrote to memory of 3616 2276 e26b810f61.exe 89 PID 3572 wrote to memory of 2348 3572 svoutse.exe 90 PID 3572 wrote to memory of 2348 3572 svoutse.exe 90 PID 3572 wrote to memory of 2348 3572 svoutse.exe 90 PID 3828 wrote to memory of 4156 3828 RegAsm.exe 91 PID 3828 wrote to memory of 4156 3828 RegAsm.exe 91 PID 4156 wrote to memory of 2284 4156 firefox.exe 94 PID 4156 wrote to memory of 2284 4156 firefox.exe 94 PID 4156 wrote to memory of 2284 4156 firefox.exe 94 PID 4156 wrote to memory of 2284 4156 firefox.exe 94 PID 4156 wrote to memory of 2284 4156 firefox.exe 94 PID 4156 wrote to memory of 2284 4156 firefox.exe 94 PID 4156 wrote to memory of 2284 4156 firefox.exe 94 PID 4156 wrote to memory of 2284 4156 firefox.exe 94 PID 4156 wrote to memory of 2284 4156 firefox.exe 94 PID 4156 wrote to memory of 2284 4156 firefox.exe 94 PID 4156 wrote to memory of 2284 4156 firefox.exe 94 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 PID 2284 wrote to memory of 3860 2284 firefox.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe"C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:5028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99385c36-f859-4d44-89e7-b88b312ba4ba} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" gpu7⤵PID:3860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c99cc97c-07ae-4d30-85dc-21b9e7491dc7} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" socket7⤵PID:792
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 3196 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5624262a-f975-40a5-a2d3-60e4dcd76664} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab7⤵PID:2992
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -childID 2 -isForBrowser -prefsHandle 2932 -prefMapHandle 3056 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b94bf5e-d973-4f7b-b049-12ba56244a8f} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab7⤵PID:2696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4940 -prefMapHandle 4936 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {452c54e1-992f-432a-849b-13f5b5b8f8a9} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" utility7⤵
- Checks processor information in registry
PID:1040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 3 -isForBrowser -prefsHandle 5592 -prefMapHandle 5588 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1ea19b6-15e6-4a5c-b59b-9514035ec57b} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab7⤵PID:5932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 4 -isForBrowser -prefsHandle 5892 -prefMapHandle 5896 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85a3e757-a2da-4921-aa4c-16680ba2c529} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab7⤵PID:6100
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6052 -childID 5 -isForBrowser -prefsHandle 5968 -prefMapHandle 5972 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94199de7-0bb8-4213-88e4-533a715d5f89} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab7⤵PID:6112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6248 -childID 6 -isForBrowser -prefsHandle 5896 -prefMapHandle 5968 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab61f012-fc7b-41b6-b9e5-a3657aa14d47} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab7⤵PID:5148
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3616
-
-
-
C:\Users\Admin\1000003002\fc92cd8874.exe"C:\Users\Admin\1000003002\fc92cd8874.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1364
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5956
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1480
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json
Filesize28KB
MD5756e74ee83687ae05ef13ca0c0a0b97e
SHA150707c73ad9c732c721f2c397ae123f5f2956a43
SHA2563a1c4b92ee327576b43211c8a98cda493e12c919c9bc1c76fd68fe33b6835315
SHA5124d337cf94149eb752ce883384ccbeaae6f83bdf0859f0bdc5da2d9291fdb95e41245c414b2718812c4953d6226305cafbb4b79c84b489678b6dc0ecf789a9581
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD522aaa96d73aba020499a8f22319e62f5
SHA1e40496f8020028c4997689f31a600cc519a818d5
SHA25651b88b1b96273583ff82742f9606201b62359c54bd4acc59fabae678effb1376
SHA512c773b54e04a7b9e2efd537bda353b6d72bdc557936b3eaf5ac7af19cf4bf3cba821af398ce001183b669af13823b3c9cb66a7ac10143766face4394346d10b3c
-
Filesize
1.8MB
MD50341c85ca79dd94606a80b217ccb3e60
SHA18c62747c0170ffb2006b8152cde98bf254a685c4
SHA256d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a
SHA512afc2258f90fe4343f4af4a5d2f598958ccc83e6d58339693f9a0f03b3e31ce70ff3f9d927a4592c2e5537e2bd6bd7d0bf731efd5c56779a2378bf2676098ba91
-
Filesize
1.2MB
MD50507df47dc52b6ee4395525827a98fda
SHA1324a3b2e4241c995ae9d071e92ea100bda7f3b33
SHA2567ed6196256eda92f5344983a3c530aadb2cfc59a728438f363a2f281003e2cea
SHA5120ecc42cd98668a92f2144bfe8027669ece942f3e2e78945fd49325f65184d9df88f6eb76f5757b70ff8953388b9d07d38862ca91c223b62797f50b5eb9e37d28
-
Filesize
196KB
MD587dabb17ed3d14423cc2b23fe66bf66b
SHA1b63310220a1659e56bcd154c4a39158a1209e388
SHA2560bccf21db72dd2155dce24feec1b47fd4a07ea6ebb5a69c4abed33cbe2469ab0
SHA51288e7a5af6286344de7b4ddb2ae369e9ada39c75a762edfbf6b4ad2eca6fe6da0c750ecf7ff6d76c05bb1796c65798ada3dd2c4d62d3ab7cc0285f0ea805f8b61
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
Filesize10KB
MD55262566db28be486f595dbc9b5fb29fb
SHA17a0ed2893b8fc753a3ce67acfca0adf2d3cabf57
SHA256eac6c3961261353249bd8db75089971b6e9e1eec6cb9ddc57abbc658b6380dc8
SHA512575d5f683cb2ea54a94f75cb7ff9014898467ccdb80365f62333bdcd0ce2ed1543dd19b492e534602f1c82c12a68a73e29a59b783700aca19bc4bd6cfff48475
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD50e61967d603ea60b5fb8c0b29996c9a6
SHA195bf62a632a3147610a96837b201ca7cbc38dc1d
SHA2568f236ce873cd9f4f2ac8bb09a5ed75a4c956f44658e7db8de88f80d1f3b40bc1
SHA51284a13758297dbf403bff361e4b001b3fb0ce5ca8eafd6ce32c5287c229c74afc04a8b79bf2727cd38133720148e16698e817089e2b053a7aaa041d6c024f8f6f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD51e3e72d7cac25a9fd88a1843f2f0f2da
SHA1baa3db9aff12bcdc23b64a19e8db8ddd11fe572d
SHA256aa464c47f75afec9d313df38cf5a184cebff7df73637506258ef73e1c8bb2748
SHA512a09702523720f81edd329807ea0cb7a1b895dbe88f9fe526ab9e86fe105b90ab1566bdc08272c48872ba3e182bc068a6c2519d17cfdba77df58e073233d3348b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD54ec5014992935e6b92797b3caabe0d2d
SHA1524b51b93bd4ac30c564d60a1311a43195853c9c
SHA2566e318c82114b45a85c81999f54709acac5331b30a48c21f2cfc08d8ed7f4dea3
SHA5121e0d1ab31ec23cb6d471d51758ac093d4ff1c6cd49f4a3bb2fc047011dbe639ad016455c495bc8f6252f56dd367bb326d0374b9cf3dd695b074a4e8ffedd2123
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\11c14a6d-06ee-46d0-aac4-39057fdde566
Filesize24KB
MD50e27cf1763907b77141ef4d6d9808341
SHA1815ab9069ee4688c69af717dfb52485f40b8be5e
SHA25688050eb22cea8e00c49991803bc8e00dc044fad48a526b71cc948d5d71391919
SHA5124e265b5c675cfd2fe42a5e479f30715c5fe80123939e7d4d386eb0769e92fba44aa30b8eb4641590def80694ca722ecd709d2202ba8e0d008da699e986afc7f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\4d74db23-448f-409c-9116-69f19e154010
Filesize982B
MD5e425ae50ccdf6b57a4366e1d0e1ffd07
SHA116e68876ad36d05bd7cf06ed3747972d321e2e20
SHA256e4ef40ecb2a9fbb42613e11240136d92ab704f9654c7e28fb8808fa54d10239a
SHA5122540dff294ef7f8e13cad32ced1d6ed3fa30fc44acfd0741e2dc6ed98ddaaf87f58508cab2560bcb9a30856eaa6ac3ec279b14be61fa9455fbdf783c079292f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\cad8dbc4-4adb-4fff-b2e4-15e1de463a81
Filesize671B
MD56376210477ed8db6fe088b1d96d27899
SHA13fc1ea66bf4bd41fe7fb8e0ef57da2e3b3d56486
SHA2560594f619e20e21c46a84d1628268fc14a50b4c25f2012dc8a9d64644c3f701c4
SHA512592a9aa02600b8e67d1423cd0cf53ca33657111c8f03befc7c202c3813ffbf93d814c95f2c6d37d9e24ef33f3a2dd6a37e972301b799851b799a8a99bb67392b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5b32cd2971dff7b4335fec328985d158d
SHA1055776a8acdb9d9fa79ad2d425d478ed794047dc
SHA256903bf4b03dcb97539549735405b9a8e533334781fc3c235c6ed0920ab29e32a9
SHA512d03e5aefa9101ca26c7160392dc7c6355ec0f8a35017677d343f92f5edf9a70d7ea026f96a9615233db23fbc3817fb668d5ff23c00ca68f50182ada238c2e176
-
Filesize
13KB
MD51f011ededd60870e96e1ddf08bed7dd8
SHA1604603569e4a8a1cc513bfa6f9de1da47221fc6b
SHA256c381546c088661927900dc5708bee933f8cb15d58e978b731cc1d33d63bd411c
SHA51292cfece3deca8b535c9f4d9ede7a0deeedc6e20c6b8b02aa7c5893a1ec3ccae150c81dac18c2ce7a77137b2dfddaa94a15d48bb56bd2fc3354c1836c11f1ccd8
-
Filesize
10KB
MD5da0fbb855cff65dbbc2b51b66b961fa7
SHA1069a1a50e39e415b4f3f03e2b93a810ea113ffc5
SHA25646f3ece108a788661f5d9badec63342e97505a25954eb0f1f62805760fd2f80c
SHA51226a5f21f3f3b20cf93b9a6eabe1cb35951e49e8656a015a224f0f3c895704bd6bd037895a8876f350fdc1092610c89bc434f1aade3ada5db48379f179f853ed1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD584d9fae7b7855e52f1308f7169488ce9
SHA1959745a8af2e4240e8affbe0d9847df7c016c78f
SHA256dab25b6a7bd090e0993d4ac8b2d8940566f8f4889a7e1c6b1763644f6b379112
SHA512e3000076ff4f6ab55f428afbeb56c1689fb109cba16929f4ee225c5d76128dd6eb9756f3ac1c8b53a4846112837c2658664c11669903b5362283a0fe184ff46a