Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-08-2024 12:16
Static task
static1
Behavioral task
behavioral1
Sample
fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe
Resource
win10v2004-20240802-en
General
-
Target
fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe
-
Size
196KB
-
MD5
aa217dbf9cb8080176f0bae19edc6305
-
SHA1
1753b00e1dddb7d9635ad0e9d285907445cc70b6
-
SHA256
fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844
-
SHA512
0beae14810a852de0449675577854fe68947ffe30de89488e71b5ed8c63ac21d88d20b23d3614441aae7de40ad6bea12dbe4278af870defef85457478a6b56ab
-
SSDEEP
3072:WLu7fYShS0xDMntOaAH7Xwe8nlNay0lGwTlG03SY/9VjAG+sHI:W4YShFxQZAHse8bay0xlrCskG+
Malware Config
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RoamingHJJJDAEGID.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RoamingHJJJDAEGID.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RoamingHJJJDAEGID.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Executes dropped EXE 7 IoCs
pid Process 4772 RoamingHJJJDAEGID.exe 2964 svoutse.exe 736 c6890516f9.exe 3888 8bd2c04262.exe 1620 8efb2a0d6e.exe 5252 svoutse.exe 4712 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine RoamingHJJJDAEGID.exe -
Loads dropped DLL 2 IoCs
pid Process 3992 RegAsm.exe 3992 RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\c6890516f9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\c6890516f9.exe" svoutse.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3076-137-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/3076-135-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/3076-132-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4772 RoamingHJJJDAEGID.exe 2964 svoutse.exe 5252 svoutse.exe 4712 svoutse.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2680 set thread context of 3992 2680 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe 82 PID 736 set thread context of 3076 736 c6890516f9.exe 95 PID 3888 set thread context of 4688 3888 8bd2c04262.exe 99 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job RoamingHJJJDAEGID.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6890516f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bd2c04262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8efb2a0d6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RoamingHJJJDAEGID.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 3992 RegAsm.exe 4772 RoamingHJJJDAEGID.exe 4772 RoamingHJJJDAEGID.exe 2964 svoutse.exe 2964 svoutse.exe 5252 svoutse.exe 5252 svoutse.exe 4712 svoutse.exe 4712 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3392 firefox.exe Token: SeDebugPrivilege 3392 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4772 RoamingHJJJDAEGID.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe 3076 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe 3392 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2680 wrote to memory of 3992 2680 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe 82 PID 2680 wrote to memory of 3992 2680 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe 82 PID 2680 wrote to memory of 3992 2680 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe 82 PID 2680 wrote to memory of 3992 2680 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe 82 PID 2680 wrote to memory of 3992 2680 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe 82 PID 2680 wrote to memory of 3992 2680 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe 82 PID 2680 wrote to memory of 3992 2680 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe 82 PID 2680 wrote to memory of 3992 2680 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe 82 PID 2680 wrote to memory of 3992 2680 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe 82 PID 3992 wrote to memory of 1896 3992 RegAsm.exe 90 PID 3992 wrote to memory of 1896 3992 RegAsm.exe 90 PID 3992 wrote to memory of 1896 3992 RegAsm.exe 90 PID 1896 wrote to memory of 4772 1896 cmd.exe 92 PID 1896 wrote to memory of 4772 1896 cmd.exe 92 PID 1896 wrote to memory of 4772 1896 cmd.exe 92 PID 4772 wrote to memory of 2964 4772 RoamingHJJJDAEGID.exe 93 PID 4772 wrote to memory of 2964 4772 RoamingHJJJDAEGID.exe 93 PID 4772 wrote to memory of 2964 4772 RoamingHJJJDAEGID.exe 93 PID 2964 wrote to memory of 736 2964 svoutse.exe 94 PID 2964 wrote to memory of 736 2964 svoutse.exe 94 PID 2964 wrote to memory of 736 2964 svoutse.exe 94 PID 736 wrote to memory of 3076 736 c6890516f9.exe 95 PID 736 wrote to memory of 3076 736 c6890516f9.exe 95 PID 736 wrote to memory of 3076 736 c6890516f9.exe 95 PID 736 wrote to memory of 3076 736 c6890516f9.exe 95 PID 736 wrote to memory of 3076 736 c6890516f9.exe 95 PID 736 wrote to memory of 3076 736 c6890516f9.exe 95 PID 736 wrote to memory of 3076 736 c6890516f9.exe 95 PID 736 wrote to memory of 3076 736 c6890516f9.exe 95 PID 736 wrote to memory of 3076 736 c6890516f9.exe 95 PID 736 wrote to memory of 3076 736 c6890516f9.exe 95 PID 2964 wrote to memory of 3888 2964 svoutse.exe 96 PID 2964 wrote to memory of 3888 2964 svoutse.exe 96 PID 2964 wrote to memory of 3888 2964 svoutse.exe 96 PID 3888 wrote to memory of 2936 3888 8bd2c04262.exe 97 PID 3888 wrote to memory of 2936 3888 8bd2c04262.exe 97 PID 3888 wrote to memory of 2936 3888 8bd2c04262.exe 97 PID 3888 wrote to memory of 2284 3888 8bd2c04262.exe 98 PID 3888 wrote to memory of 2284 3888 8bd2c04262.exe 98 PID 3888 wrote to memory of 2284 3888 8bd2c04262.exe 98 PID 3888 wrote to memory of 4688 3888 8bd2c04262.exe 99 PID 3888 wrote to memory of 4688 3888 8bd2c04262.exe 99 PID 3888 wrote to memory of 4688 3888 8bd2c04262.exe 99 PID 3888 wrote to memory of 4688 3888 8bd2c04262.exe 99 PID 3888 wrote to memory of 4688 3888 8bd2c04262.exe 99 PID 3888 wrote to memory of 4688 3888 8bd2c04262.exe 99 PID 3888 wrote to memory of 4688 3888 8bd2c04262.exe 99 PID 3888 wrote to memory of 4688 3888 8bd2c04262.exe 99 PID 3888 wrote to memory of 4688 3888 8bd2c04262.exe 99 PID 2964 wrote to memory of 1620 2964 svoutse.exe 100 PID 2964 wrote to memory of 1620 2964 svoutse.exe 100 PID 2964 wrote to memory of 1620 2964 svoutse.exe 100 PID 3076 wrote to memory of 3024 3076 RegAsm.exe 101 PID 3076 wrote to memory of 3024 3076 RegAsm.exe 101 PID 3024 wrote to memory of 3392 3024 firefox.exe 104 PID 3024 wrote to memory of 3392 3024 firefox.exe 104 PID 3024 wrote to memory of 3392 3024 firefox.exe 104 PID 3024 wrote to memory of 3392 3024 firefox.exe 104 PID 3024 wrote to memory of 3392 3024 firefox.exe 104 PID 3024 wrote to memory of 3392 3024 firefox.exe 104 PID 3024 wrote to memory of 3392 3024 firefox.exe 104 PID 3024 wrote to memory of 3392 3024 firefox.exe 104 PID 3024 wrote to memory of 3392 3024 firefox.exe 104 PID 3024 wrote to memory of 3392 3024 firefox.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe"C:\Users\Admin\AppData\Local\Temp\fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe"C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\1000001001\c6890516f9.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\c6890516f9.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password8⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password9⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3392 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d415ea4-6565-4fc8-afa2-154422a0b73c} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" gpu10⤵PID:3980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddfc0c33-f038-41c6-8c50-abb8ac752077} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" socket10⤵PID:816
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3316 -childID 1 -isForBrowser -prefsHandle 3308 -prefMapHandle 3304 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {881c3883-9fba-407e-b0d0-4721805e0dd6} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab10⤵PID:4448
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 2 -isForBrowser -prefsHandle 3140 -prefMapHandle 3136 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9703ba4f-72e3-4019-8062-5ccfe118c5a9} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab10⤵PID:588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4708 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6d9202a-5522-4e81-b751-8a6fe04b4279} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" utility10⤵
- Checks processor information in registry
PID:5236
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 3 -isForBrowser -prefsHandle 4880 -prefMapHandle 5528 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eac4a1f3-eb1a-40ab-a307-0cf09ec67dcd} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab10⤵PID:5932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 4 -isForBrowser -prefsHandle 5704 -prefMapHandle 5708 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c972490-2368-416d-a0b0-5a3327a45158} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab10⤵PID:5948
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5996 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 5920 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75fcd2b4-8f68-462a-a6c8-60c8b8acb2cb} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab10⤵PID:5964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6216 -childID 6 -isForBrowser -prefsHandle 6308 -prefMapHandle 6304 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b32a036-cd2d-4cfe-9ea2-f75f4da7f995} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab10⤵PID:1376
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\8bd2c04262.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\8bd2c04262.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵PID:2936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
PID:4688
-
-
-
C:\Users\Admin\1000003002\8efb2a0d6e.exe"C:\Users\Admin\1000003002\8efb2a0d6e.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5252
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4712
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json
Filesize31KB
MD5d0f177cf7ff50866f2adabcaf04baf13
SHA1a302477743915ea494804f02fd9dfb2ed900426e
SHA256198fe738c090197659138f2161d7449397939b7cc9c2d533265906a1ce84300f
SHA5122e1505f86837991bd30f9921e93327db883e5c26de22968ace4b23064567f7f2c4494d8a094586fd2adedd511d984a18194425e521a1552d7b4d862d24abd217
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD520997c9ecaa974b20bc17b6f8919a990
SHA1bd4aa1c71ee09ba38cb780079b1c9eb00c9d9397
SHA256381965e2a191b500e5ea7a5bbe018e9110144daa6424351ffa1933c4d97d41e1
SHA5125384dbdf7ac547f074244e33277d0efa4976c2959058f76fe183b9c8888ec429fceb396a143ed5d620618f108c4423dde20759ac3cab6ad09e4e27d881695711
-
Filesize
1.2MB
MD5308d0996727a81dfcb72a69e1a132108
SHA19b48220c70d23d2022dd33b142ba6ff8f878c7e6
SHA25676a0ee2a9aca627171bad5a4be2029e87eefed2cbb7c63532c3d4f5ca53e2e88
SHA51265503827ac96c6a81c6ab6a6428286b6b43fd78ded0ec255e21ca3d6f2f4ce8f2fb4f3167afcfd7c6e9b997dd448c937bea01b676f645f33dfe4fd9b88ad2c25
-
Filesize
196KB
MD5aa217dbf9cb8080176f0bae19edc6305
SHA11753b00e1dddb7d9635ad0e9d285907445cc70b6
SHA256fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844
SHA5120beae14810a852de0449675577854fe68947ffe30de89488e71b5ed8c63ac21d88d20b23d3614441aae7de40ad6bea12dbe4278af870defef85457478a6b56ab
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
1.8MB
MD5f92bc75eb1dd5151fcda78609b39c232
SHA14f1fb77fdd542f67d30cb26acca5747c6e01890e
SHA2564915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379
SHA512bca933fb39dc32726ca15f3ae6a3237b9b72f38b5535288d5062bd3b1b9cae8372f3ff1173785d4f7e6914af2a23689d2b41e0a8e2d291cf3c9da16ce6920bf6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
Filesize7KB
MD53f3c564e2df8f877334fa58a359a9196
SHA19df5ad5b9ebf44eca71e989ce57c55b59a18cea0
SHA25617ec147674c18cfe00cf2ac92d44820c3f952691d805f410944332b57fe4f5f3
SHA51264a616898b746a52e53cd884b81c269e81ecb82283ad1e0a0fc32a17fd936f50e4981f6065607efcae6b6ae85c9158b842b6e03789bcd0c22e14d6832d127b3f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
Filesize10KB
MD5cb9a705e610d956164d07ff991c6c72a
SHA1f47c8071fa948ad0d579e9a6e134ec642e391bbf
SHA256ad83dfa86df8dfe33c7d4298e7bfe21866901b80e1a50fc5c82bf05608893997
SHA512d8416099635095ff7982c4a09a70932a4d8ce55d8c35315e453d8eb6a82ccd4478961a143091ba346ab8a96e4f4d89e4100632263a64206218fa6a5bed965c26
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD57d44c04151146e70909871ebcfa2e3be
SHA13ae7b2170dbdb0709fc1933e4092a9b2da52cac4
SHA256f041c6e7b9612603e33b996015776a673ff159d6a2577732786458e3a25a2bd3
SHA5124b2fee941bb4d7813df2ae9e1f296742150782b122cf2d389e4ec592a6f79f7bb8b1d8144b2e8e7ecc0e10ed6891968a787f7a6f4ab83708ff83aabd104cdb85
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5362c40dd9d7c0d2887410cccb91a4a9b
SHA1ddcf8485644566048a1c2a3736dd9e860608a75b
SHA25648077af2f4a38c3a9132be2fe374d2d14f8cc611d39b189724db8bc5e5263876
SHA51253adf103052a48d3fd07da54f501720a4e3f9a196f4be1985f8f7477ace5b7bb1e6fbf5f442a73045b69f0ed7558cb6219e8c8a4dab108186c9a28b2003f0a47
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\03a1553d-02cf-4886-b13d-33a8ba4a8f45
Filesize982B
MD58c4c3705a86532e3531934510291b4fa
SHA1fe20396c6c25e0e939ab78d62db2daf893eaf43c
SHA2567eea207c3708461f5277a25af1c86c3999d42685f62315f7d07c62ece4c1f4af
SHA51204eaffe9cf937260cc7764895f8b1904b0d7c6ba7104a96955afbf98f37116bbc11ac3c14591d8c70707179a09642ed4014cd99f1e204395e5a489f38d7a4491
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\91b7cd40-dad0-4480-abd2-a22dcdd9fb63
Filesize671B
MD53c6042283d9721ac0cc9f00e80f86d7c
SHA16b2750b68d48f7f605cf7163394d3baa39d98f52
SHA25667ab4f0d9e59e6de640c43d7379f038c5299c5efe412e66946a3783226870c70
SHA5122d394c6da1eaed625ff7e7e1d181a048d46114dbb05db1c1360550bba6f53e26ca474de0bb4301fb0775bc194db6dcbaffade7311d22e729066c48a2996980c2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\94349e4f-0200-47fe-b3b2-3a8be812f43d
Filesize27KB
MD59602084efd7487f23acd9c2607187560
SHA13d3fb13d91fc97cf3aae44ce20819dd09640342f
SHA2566ee8a0887211e1159357b6376c672e7ff06300572b1e4c72a48c242a5cc2139e
SHA5121b35e546e486aa62daf04a0939ee80d0ebd5d16169b82afe69cb268fd941830f12740c3a93ff819d61f89fff8f6d5ada5bc82b18b3a98ca12e6838016f9e50aa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD57b72d78563594ff746f8a022579994b1
SHA1d7e7ccf5b8b8e36d27ce23de5fdeb43a7f8f951f
SHA25662d5474d00f9a9cbd854999805aaa46fff3c1e5f384aa7435de08a05217f0629
SHA5122519e0290753317abf71a04ff8ce7564de21608e2c28c62aabec7c45c22f8c22ddb267a74f12084837b0eaf5324baf38d7ea23fb08402138c6b5ea679aa0def9
-
Filesize
12KB
MD519b112073814baf07088d13c24a0088e
SHA1e4a62e062922bbba12044b97bf3004970f60b574
SHA2566aa38ac5538575d26cac4c36702ad4a00e34e58d17d4251538cfc4267389e806
SHA51223c3707af656f2fda62efb3f3ab34c7f83d46e8c6526801c02d9f0b3481a33895092c0ca7b101a493d201cc2d6012e72f242e33408f30962840567c8ce6106f4
-
Filesize
10KB
MD570ae9c387ce55d93f8ac71681aeef294
SHA13d56aa13bdfb324e6c01b9b5cb132096e4d67789
SHA256754225a6cd92dcc3a92a022d64305553a0e2564e37dd4cf884d171eed339cc0d
SHA5128e76b9ecb2279cd86132cadf77e7f05c8cd6b1404db72d9b15a757c806c0ee8497d665d7736cbe8336b30fa6af3688250e240b45337ab80b7a7f85e4b60aa4c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.2MB
MD52fa181571c8d8192e042a3977920ea2c
SHA15ed3eaa24c0e514154ac0dfecb776ddbe60732fa
SHA256e61fdd7e4c00164e8e2157ce895e5b434f29b05175906ffe28a94ee7fc4a2f71
SHA512937168a099ac0c795abbdd08a0e29f2bdd1b4da3b204edb5ef6026da4b8fcf55e0057d2ba27e7bbfc263310ab07a6f4576fe17feb3e055f9d63800ffdb09e4ed